Enabling Kerberos authentication

For a device running the mobile app to properly negotiate the SSO Kerberos authentication, you must configure your mobile device to use Kerberos. You can accomplish this task by creating and installing a configuration profile. You must edit the configuration profile to fit your environment.

About this task

The configuration profile for specifying Kerberos authentication is contained in an XML file that has the file extension .mobileconfig.

Before you begin

Spotfire® for Apple iOS version 2.14.x or higher.
Spotfire® Server 14.0.x or 12.0.x or higher, configured to use Kerberos with Delegation.
Apple iOS version 14 or higher.

Procedure

Copy the XML in the sample .mobileconfig file and save it to a file on your local computer.

Edit the file, changing the values in the tags as follows.

Key	Description
`Name`	Required. Change to the name of the configuration. The default is `Kerberos Config`.
`PrincipalName`	Optional. Change to the user name to use when logging in. The default is `test_user`.
`Realm`	Required. Change to the domain realm specified when you set up Kerberos on the Web Player service. The default is `GSLAB.LOCAL`. Note: The domain realm specified must be upper case.
`URLPrefixMatches`	Required. Change from the sample web addresses to the web address of the Web Player server the mobile app connects to. You can specify multiple web addresses by adding a separate line for each new web address entry. The web address should be the Web Player Server web address. Note: Do not add /SpotfireWeb or /spotfire (or your virtual directory name) to the end of the web address.
`PayloadOrganization`	Required. Change to the name of the organization you want to use. The default is `ORGANIZATION`.

Optional: If you want to be able to access Spotfire analytics through the Safari browser on your iOS device, add the following string to the AppIdentifierMatches array.


				<string>com.apple.mobilesafari</string>

The entire section should read something like the following:

<key>AppIdentifierMatches</key> 
  <array>
    <!-- The line below allows the Spotfire® for Apple iOS App to use the profile -->
    <string>com.tibco.spotfire.SpotfireForIPad</string>
    <!-- Uncomment the line below if you want to allow Safari to also use the profile -->
    <string>com.apple.mobilesafari</string>
  </array>

Saved the edited configuration file.
Install this edited .mobileconfig profile file on your mobile device.
This is most easily done by attaching the saved .mobileconfig file to an e-mail and sending it to an account that the mobile device users can access. When you tap on the attachment in the email on the mobile device, you are prompted to install the configuration profile.
Note: If you get an Invalid Profile error when you attempt to install the file, then the file contains a configuration error that you must fix.
The configuration can fail silently without an error message. After installing the profile, check Profiles setting in General > Settings. If the profile does not exist, check your configuration file for errors.

Confirm that all values your provided are properly filled in and formatted, and that you did not accidentally change, add, or delete any XML tags.

Results

The mobile device is now configured for single-sign on using Kerberos.

What to do next

To test the configuration, restart your device. Open the Analytics app on your mobile device. If you have not already done so, add the library server with the Kerberos authentication you configured. When you add the library server in the app, it does not matter what you specify for Username and Password, because these values are not used when your mobile device authenticates using Kerberos. You can leave these fields empty.